This disclosure is related to methods of enabling a User to make Kerberos service requests from a Menu-Resource Control Program which through a back-end interface, enables a Menu-Assisted Resource Control program to recognize Kerberos commands and to respond back to a User.
In present day networks and computer systems, the need for privacy and proper authentication of the network and computer Users is one of the foremost areas of concern. The Kerberos security system is generally used today as a developing standard for authenticating network Users, and is often used in the UNIX community and in the Unisys ClearPath systems where it is useful because it functions in a multi-vendor network and does not require the transmission of passwords over the network.
Kerberos operates to authenticate Users, that is to say, it determines if a User is a valid User. It does not provide other security services such as audit trails. Kerberos authentication is based on xe2x80x9cpasswordsxe2x80x9d and does not involve physical location or smart cards.
In order to implement Kerberos in a system, each computer in a network must run the Kerberos software. Kerberos works by granting a xe2x80x9cticketxe2x80x9d, which ticket is honored by all of the network computers that are running the Kerberos protocol. The tickets are encrypted, so that passwords never go over the network in xe2x80x9cclear textxe2x80x9d and the Users do not need to enter their password when accessing a different computer.
Since there is often a need to run Kerberos on every single computer in a network, this sometimes presents a problem for potential Users. Considerable effort and time may be involved in porting Kerberos to each different hardware platform in the network. Kerberos users tended generally, to be large networks which were furnished with extended expertise. Since such resources were not generally available to smaller networks, it was sometimes a problem to make it available to smaller networks, which normally could not justify the cost and expense.
Kerberos networks are involved with the type of systems designated as xe2x80x9csymmetric crypto-systemsxe2x80x9d. One type of symmetric crypto-system is called the xe2x80x9cKerberos Authentication Systemxe2x80x9d. This type of system was discussed and published on the Internet by J. T. Kohl and D. C. Neuman in an article entitled xe2x80x9cThe Kerberos Network Authentication Servicexe2x80x9d, which was published in September 1993 on the Internet RFC 1510.
Kerberos uses symmetric key crypto-systems as a primitive and often uses the Data Encryption Standard (DES) as an inter-operability standard. Kerberos systems have been adopted as the basis for security service by the Open Software Foundations (OSF), and Distributed Computing Environment (DCE). Thus, Kerberos was designed to provide authentication and key-exchange, but were not particularly designed to provide digital signatures.
Thus, networks require systems and methods for securing communications which provide for one User to authenticate itself to another User, and additionally, this often required systems for securing communications which facilitated digital signatures being placed on a message, in order to provide for non-repudiation.
Kerberized environments involve the transmittal of messages, for example, from a server to a client, which leads to several major problems in these networks. These problems involve the situation of how to perform any number of useful functions in the Kerberos environment which may require unusual and flexible types of command structures.
The present disclosure involves the provision of a new User Interface on a Unisys ClearPath NX Server which then permits the User to perform many selectable Kerberos functions. The present system takes advantage of a previously developed Menu-Assisted Resource Control program (MARC) and provides a specialized interface which enables Users to enter Kerberos commands, not only on the MARC command line but also on various menus and forms in addition. Further it allows the implementation of Kerberos functionality in a Kerberos Support Library without the requirement for making any major changes to the Menu-Assisted Resource Control program while still providing Users with the Menu-Assisted Resource Control program as a standard Unisys interface in a server such as a Unisys ClearPath NX Server. The newly supplied Kerberos Interface provided herein enables the Menu-Assisted Resource Control program to recognized as being a Kerberos command and then to initiate the Kerberos Support Library to provide the Kerberos functionality.
As was indicated in the co-pending companion case, U.S. Ser. No. 09/148,644 entitled xe2x80x9cKerberos Command Structure and Method for Enabling Specialized Kerberos Service Requests,xe2x80x9d there was provided a series of specialized commands useful for Kerberos functionality. Now it is necessary to make the functionality of these Kerberos commands available to the User in a seamless fashion. Now since there was an existing User Interface on the ClearPath server which was called the Menu-Assisted Resource Control program (MARC), it was desirable to make the Kerberos functionality available to the Users of this program in a seamless fashion. Thus now, a User can simply make a Kerberos Service Request through the existing User Interface designated Menu-Assisted Resource Control program. This task was accomplished by taking advantage of the special feature which already existed in the Menu-Assisted Resource Control program called a Directive Interface. As a result of this, the Kerberos command functionality now has the same xe2x80x9clook and feelxe2x80x9d as all other functions which were already existing in the Menu-Assisted Resource Control program. Thus, this enables a uniform type of request across the board whether it is a Kerberos request or some other request. Advantageously over the former traditional use of the Directive Interface, it is now possible that Users can enter the new functional Kerberos commands via menus and forms in a fashion which could not be done with the traditional Directive Interface.
The present method and system describes what is designated as a xe2x80x9cback end interfacexe2x80x9d which is normally not visible to the User but provides the functionality of enabling the User to send a Kerberos Service Request via MARC to the Kerberos Support Library (KSL) and then receive a return response from the Kerberos support Library via MARC to the User which is displayed in a seamless fashion.
A Kerberos Domain is provided whereby a client-User may communicate with a specialized client-server and a Kerberos-server. The client-server (ClearPath server) provides a Menu-Assisted Resource Control program (MARC) which enables client requests to access a Kerberos Support Library via a Directive Interface. The client-server has a Universal Data Port which communicates with a Kerberos server. The Kerberos server has a Key Distribution Center (RDC), a Kerberos Administration File (K-ADMIN) and a Kerberos data base which provides information and data to the client-server also designated as a ClearPath server.
The client-server (ClearPath server) provides a connection via a network cloud to a User-client and to the Kerberos server. The client-server is provided with a Universal Data Port (UDP) which connects to the Kerberos server. The client-server also has a User Interface which connects to a Kerberos Support Library (KSL) which includes a Directive Interface which processes the Kerberos commands coming from the Menu-Assisted Resource Control program.
The Kerberos Support Library connects to the Master Control Program, the User Interface, and the Universal Data Port on the one hand while also connecting to an encryption Library, a User Data Module and General Security Service Application Program Interface Support Library (GSSAPI).
The Menu-Assisted Resource Control program is provided with a MARC Directive Interface which holds a Kerberos Entry Point (KEP). Likewise, the Kerberos Support Library is provided with a Kerberos Directive Interface which has its own Kerberos Entry Point (KEP). These two entry points are duplicates of each other in terms of software applicability so that the MARC program can now link to the Kerberos Support Library to find a response to the Kerberos command which can then relay back to MARC for response back to the User.
As a result, the User who already has a Menu-Assisted Resource Control program may now, via the Kerberos Interface, use and access Kerberos commands through the Menu-Assisted Resource Control program, which utilizes the Kerberos Support Library to generate a response back to MARC who can then reply to the User.